Security firms have discovered Android apps that are laden with malware to turn your phone into a cryptocurrency mining machine, all for the benefit of someone else and to the detriment of your device. It’s of course a ridiculously inefficient way to get your hands on some digital currency—there’s a reason students have been hijacking university supercomputers to mine dogecoins—but that doesn’t seemed to have stopped someone trying it.
The BBC reports that security companies Lookout and Trend Micro found mining malware in several Android apps, a couple of which were listed in the official Google Play store: Songs and Prized.
“These apps have been downloaded by millions of users, which means that there may be many Android devices out there being used to mine cryptocurrency for cybercriminals,” wrote Trend Micro on their blog. Spain and France seemed to be particular hotspots for the malware, according to Lookout.
But while getting together a large group of machines is a tried and tested technique for mining cryptocurrencies, it doesn’t really work with phones; the hardware’s just not powerful enough. While they can technically mine, the return rate is so poor—“glacial” is the word that Trend Micro analyst Veo Zhang uses—that the whole operation is pretty pointless.
Lookout explained there’s no use even trying to mine bitcoin with such a ploy, because the difficulty rate and therefore the processing power required to mine is just way too high. “A recent mining experiment using 600 quadcore servers was only able to generate 0.4 bitcoins,” they wrote. That’s likely why this malware has been targeting litecoin and dogecoin, which are literally a million times easier.
But that compromise means the payoffs are also smaller, and at the rate a smartphone can mine, they’re not going to be funding any crypto-luxurious lifestyles soon. Lookout gave it a go:
When we tested the feasibility of mining using a Nexus 4 by using Android mining software such as the application “AndLTC”, we were only able to attain a rate of about 8Kh/s – or 8,000 hash calculations per second, the standard unit of measure for mining. Using a Litecoin calculator and the difficulty setting mentioned above we can see that this would net us 0.01 LTC after seven days non stop mining. That’s almost 20 cents.
Not exactly a get-rich-quick scheme, especially considering the effort and presumable investment put into the malware in the first place. But just because phones aren’t very good at mining cryptocurrencies doesn’t mean they don’t put a lot of effort into it. They do—so much so that this kind of malware could damage the hardware.
If your phone’s a slave to this kind of system, it’s likely to lose battery quickly, charge slowly, and potentially overheat. Your data plan could also get totally rinsed by the scheme if the malware tries to download a block chain (If your phone’s playing up, you might want to delete any suspicious-seeming apps).
As well as being a total nuisance to anyone whose device is infected, this attack clearly isn’t exactly the stealthiest of approaches. But as the world gets increasingly turned on by emerging cryptocurrencies that are easier to mine when they first start out, we can probably expect to see more similar scams in the future. Not everyone has access to a whole lab of (poorly secured) computers to satisfy their dogecoin appetite, after all.